Philippines election hack: Voter data breach stirs questions

MANILA–The Philippines’ Commission on Elections (Comelec) is assuring the public that a recent data breach of its website won’t compromise the upcoming May 9 national elections.

Comelec Spokesman James Jimenez says no vital voter information such as fingerprints or photos were recovered by the hackers who struck at the end of March. The disclosure follows news this weekend that the records of millions of Filipino voters were accessed by hackers.

In the Philippines, all registered voters are required to provide fingerprint data, address, photo, age, and birth dates in order to vote. The data verifies identities in localities where votes are cast in what will be the country’s third automated election.

The electronic procedure replaced a manual system where voters wrote the name of their preferred candidates on a piece of paper, dropped it in a ballot box, and had it hand-counted by election inspectors.

The law authorizing automated elections in the Philippines was passed by Congress to eradicate election-related violence, ballot snatching and ballot switching.

General elections are conducted in the Philippines every six years to elect a new president, vice president and over 18,000 local positions.

Biggest data breach

Over the weekend, however, global security company Trend Micro revealed in a blog post that sensitive personal information on over 55-million voters was included in a data dump.

Trend Micro said their probe revealed the unprecedented data dump includes 1.3 million records of overseas Filipino voters, including passport numbers and expiry dates.

Demonstration of automated election device in Philippines

Their information also contradicted Comelec’s claim that no sensitive information was stolen. Trend Micro said that 15.8-million voter fingerprint records and a list of people running for office since the 2010 elections had also been leaked.

“Cybercriminals can choose from a wide range of activities to use the information gathered from the data breach to perform acts of extortion. In previous cases of data breach, stolen data has been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing emails or BEC schemes, blackmail or extortion, and much more,” Trend Micro said in its blog post.

The hacker group involved in the attack uses the name “LulzSec Pilipinas.” It reportedly announced its deed in a Facebook post on March 28. “A great lol to Commission on Elections, here’s your whoooooole database,” the Facebook post read.

More than one hacker attack

The LulzSec Pilipinas occurred shortly after a March 27 attack in which Comelec’s website was defaced by the group calling itself “Anonymous Philippines.” The group claimed responsibility for the attack and explained that the hacking was meant to dramatize the vulnerabilities faced by the country’s automated election system.

“It is impossible for the company to have done the validation by itself,” Jimenez said, “How can they validate the data leak when they have no access to the Comelec’s data base?” He added that Trend Micro’s report only legitimizes the data dump.

“Again the dump has not been authenticated yet … It is a little bit dangerous to have a conclusion about it,” Jimenez said. He also says the agency is trying to confirm what information was in the data dump.

Trend Micro says the leaked voter data is in a text format. The data dump is believed to contain 340 gigabytes of data.

Comelec says it’s conducting an internal investigation that will scrutinize agency staff. The commission says it’s also transferred some workers staff from its Information and Technology Department to another division as a security precaution. Data has also been backed up for a forensic analysis.